I have enabled csrf protection in Codeigniter. Using form_open()I'm able to produce a hidden csrf value that should be verified in my controller. However I'm not submitting any input fields but just passing a url paramater via the form action.
In my controller I don't need to set validation rules so I have
function delete_post($post_id = '') //post id passed via 3rd URL segment
{
if (is_int($post_id) && valid_post($post_id)) //valid_post() returns true if post id exists
{
$this->Posts_model->delete_post_model($post_id);
redirect('site');
}
}
Csrf protection doesn't seem to work without validation rules. Is it possible to make this work without passing post_id via a hidden input?
As you can see in the code of the Security class, CSRF protections only works with POST data (form validation also works with POST data actually).
You should to this the CodeIgniter way and use a POST request. If you're using AJAX, then simply change GET to POST, and if you're using a form, set the method to post. If you can't do it then you'll have to fight against CodeIgniter core code, so try to explain why. :)